All news with #supply chain compromise tag

🛡️ Rising geopolitical tensions have made cyber operations a central instrument of statecraft, forcing European organizations to rethink digital architectures and trust assumptions. The article reviews state-linked campaigns from the mid-2000s through 2025, the evolution of hacktivism into state‑aligned actors, and the persistence of cyber extortion ecosystems. It highlights trends—identity- and edge-focused attacks, supply-chain and appliance compromises—and recommends prevention, detection, incident response, and public‑private coordination, including tabletop rehearsals and recovery drills.

🔒 Millions of CI/CD pipelines were exposed after the threat actor TeamPCP injected malicious code into widely used tools — Trivy, Checkmarx workflows, and LiteLLM packages — enabling credential theft and persistent backdoors. The compromised artifacts were live only briefly but likely executed broadly, exfiltrating cloud keys, SSH credentials and cryptocurrency wallets. Immediate steps include pinning dependencies to exact SHAs, rotating secrets, hunting for traffic to typosquatted domains, and restoring affected systems from verified backups.

🔍 Cybersecurity researchers report a new GlassWorm evolution that delivers a multi-stage data theft framework and a remote access trojan (RAT) which force-installs a malicious Google Chrome extension masquerading as Google Docs Offline. The campaign gains initial access via rogue packages on npm, PyPI, GitHub and Open VSX, and resolves C2 addresses using Solana memos and public Google Calendar dead drops. A .NET component performs hardware wallet phishing when Ledger or Trezor devices are connected, while a WebSocket RAT harvests browser data, executes arbitrary JavaScript, and supports HVNC and SOCKS modules. Developers are urged to verify publishers and use scanning tools such as AFINE's glassworm-hunter.

🔐 A supply-chain compromise of Trivy has escalated into an extortion campaign linked to Lapsus$, with Mandiant reporting over 1,000 impacted enterprise SaaS environments and the potential for many more. Initial access by cloud-native actor TeamPCP led to stolen credentials that were used to backdoor packages and extend control to projects such as LiteLLM. Security firms Wiz and Socket describe malicious Docker and npm artifacts, a self-replicating worm, and manipulated CI/CD tags, while Aqua Security and partners work to rotate credentials and contain the incident.

📦 The widely used Python package LiteLLM on PyPI was found to contain credential-stealing malware in versions 1.82.7 and 1.82.8, uploaded on 24 March 2026. Security researchers report the malicious code harvested SSH keys, cloud credentials, Kubernetes secrets, database credentials, TLS keys and cryptocurrency wallets, then encrypted and exfiltrated the data to attacker infrastructure and installed persistent backdoors. Endor Labs and JFrog analysis showed the later variant executed whenever any Python process started, enabling silent background operation; version 1.82.6 is the last known clean release and organizations are urged to rotate secrets and audit systems for compromise.

⚠️ PyPI warned developers after two malicious releases of the Python LLM middleware LiteLLM were briefly posted, potentially exposing any credentials accessible to the package environment. Sonatype and Wiz analyses describe a three-stage, obfuscated payload that harvested environment variables, cloud and CI/CD credentials, SSH keys, and other sensitive artifacts, encrypting stolen data before exfiltration. PyPI linked the uploads to an exploited Trivy dependency in the ongoing TeamPCP supply-chain campaign and urged users to revoke or rotate secrets that may have been exposed.

🔒 Microsoft provides operational guidance to detect, investigate, and mitigate the March 19, 2026 supply-chain compromise that weaponized the Trivy vulnerability scanner and related GitHub Actions. The campaign, attributed to TeamPCP, used prior access to force-push tag changes and publish a trojanized Trivy binary (v0.69.4), enabling credential theft while preserving legitimate scan output. The guidance describes observable telemetry, hunting queries, and immediate remediation steps including safe versions, action pinning, and secrets protections.

🔒 The LiteLLM PyPI package was compromised by the TeamPCP group, which pushed malicious releases (1.82.7 and 1.82.8) that execute a hidden payload on import. Version 1.82.8 also installed a litellm_init.pth so the code runs at Python interpreter startup. The payload deploys a credential stealer, establishes persistence, and exfiltrates encrypted archives to attacker infrastructure. Users should immediately check installations and rotate secrets.

⚠️ Security researchers report that TeamPCP published backdoored litellm packages (v1.82.7 and v1.82.8) to PyPI on March 24, 2026, likely leveraging a Trivy compromise in the project's CI/CD. The malicious wheels included a three-stage payload: a credential harvester, a Kubernetes lateral-movement toolkit, and a persistent systemd backdoor executed at import or interpreter startup. Vendors removed the tainted releases and urge immediate audits, isolation of affected hosts, credential rotation, and inspection of Kubernetes clusters for rogue pods and persistence.

🔍 Security researchers at ReversingLabs uncovered a malicious npm campaign, dubbed the 'Ghost campaign', that uses fabricated installation logs to conceal downloader behavior. Malicious packages impersonate legitimate installs—displaying fake dependency downloads, progress bars and random delays—and prompt users for their sudo password under false pretenses. That credential is then used to fetch and execute a final-stage remote access trojan capable of stealing crypto wallets and sensitive data; researchers advise verifying package authors, monitoring install scripts and avoiding sudo prompts during installs.

🛡️Security researchers at ReversingLabs have uncovered a set of malicious npm packages published by user mikilanjillo that phish for sudo credentials and deploy a multi-stage downloader to steal cryptocurrency wallets and other sensitive data. The packages display fake npm install logs and inject delays to mask their actions, then prompt for elevated privileges to retrieve a remote payload via Telegram. The final stage installs a remote access trojan capable of harvesting browser credentials, wallets, SSH keys, and developer tokens.

🔒 Two GitHub Actions maintained by Checkmarx — ast-github-action and kics-github-action — were compromised by the credential-stealing operation TeamPCP. The malware harvests CI and cloud credentials and exfiltrates encrypted archives named tpcp.tar.gz to a vendor-typosquat domain. Actors also create a fallback repository (docs-tpcp) using stolen GITHUB_TOKENs and have trojanized Open VSX extensions. Organizations are advised to rotate secrets, audit runner logs, and pin Actions to full commit SHAs.

🧨 The TeamPCP group is deploying a geopolitically targeted wiper that seeks out Iranian systems and either destroys host data or implants a persistent backdoor on Kubernetes nodes. Aikido researchers link the campaign to the earlier CanisterWorm and Trivy supply-chain incidents, noting identical C2 infrastructure and the same /tmp/pglog drop path. When Iran indicators (timezone/locale) and Kubernetes are detected, the malware creates a privileged DaemonSet named Host-provisioner-iran that mounts the host root and runs Alpine containers called "kamikaze" to delete top-level directories and force a reboot. If Kubernetes is present but the host is not identified as Iranian, it deploys host-provisioner-std to write a Python backdoor and install it as a systemd service; variants also propagate via SSH or unauthenticated Docker APIs.

🔔 The TeamPCP threat actor extended its Trivy supply‑chain attack by pushing malicious Docker images and hijacking Aqua Security's GitHub organization, tampering with multiple repositories. Security researchers and Socket identified Docker Hub images tagged 0.69.5 and 0.69.6 that lack corresponding GitHub releases and contain indicators of compromise linked to the TeamPCP Cloud stealer. Aqua said incomplete token rotation after an earlier incident allowed attackers to reuse credentials, and the company published safe Trivy releases while engaging Sygnia to investigate and remediate.

🚨 A financially motivated group known as TeamPCP deployed a self‑propagating worm called CanisterWorm that spreads through poorly secured cloud control planes and conditionally executes a destructive wiper on systems set to Iran’s timezone or Farsi locale. The actors leveraged exposed Docker APIs, misconfigured Kubernetes clusters, Redis servers and the React2Shell vector, and inserted credential‑stealing code into official Trivy releases via compromised GitHub Actions. Researchers observed the group using ICP canisters to host payloads and noted the malicious builds were active only intermittently, leaving uncertainty about the extent of successful data destruction.

🛡️ Researchers have identified additional compromised Docker images tied to the Trivy supply‑chain incident after attackers injected credential‑stealing malware into official releases and GitHub Actions. New Docker tags 0.69.5 and 0.69.6 were uploaded on March 22 without matching GitHub releases and contain IOCs linked to the TeamPCP infostealer. Aqua Security confirmed repository tampering and advised teams to treat CI/CD scans as potentially compromised while noting its commercial products appear unaffected.

🔒 This week’s recap highlights a major supply-chain compromise of Trivy, where attackers injected credential‑stealing malware into official releases and GitHub Actions, producing a self‑propagating worm called CanisterWorm that affected thousands of CI/CD workflows. Law enforcement dismantled several massive IoT botnets built from routers, cameras and DVRs, while high‑severity flaws — including a critical Langflow RCE and a Cisco FMC 0‑day exploited by Interlock ransomware — were weaponized within hours of disclosure.

🚨 Researchers uncovered trojanized Trivy images on Docker Hub after a supply-chain compromise that pushed malicious releases to developer environments. The last known clean release is 0.69.3; tags 0.69.4–0.69.6 were removed after analysis linked several images to the TeamPCP infostealer. The incident also affected related GitHub Actions and spawned downstream npm compromises and repository defacements.

🛡️ The Trivy vulnerability scanner was compromised in a supply-chain attack that injected an infostealer into official releases and GitHub Actions. Researchers attribute the campaign to TeamPCP, which trojanized the trivy binary (v0.69.4) and replaced GitHub Action entrypoints, affecting many trivy-action tags. The malware harvested a broad range of credentials, exfiltrated data to a typosquatted C2, and deployed persistence on infected hosts. Organizations using affected versions should assume full compromise and rotate secrets immediately.

🛡️ The actors behind the Trivy supply-chain compromise are now suspected of seeding a self-propagating worm called CanisterWorm, which uses an ICP canister (Internet Computer blockchain smart contract) as a decentralized dead drop for command-and-control. The chain abuses an npm postinstall hook to drop a Python backdoor and establishes persistence via a masquerading systemd user service that restarts automatically. A new variant harvests local npm tokens during postinstall and launches an automated propagation routine, turning compromised developers and CI pipelines into unwitting distributors.